Bug 2447141 (CVE-2026-1527) - CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability
Summary: CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vul...
Keywords:
Status: NEW
Alias: CVE-2026-1527
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2447172 2447175 2447169 2447178
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-12 21:01 UTC by OSIDB Bzimport
Modified: 2026-03-12 22:05 UTC (History)
54 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-12 21:01:44 UTC 
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  *  Inject arbitrary HTTP headers
  *  Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Note You need to log in before you can comment on or make changes to this bug.